I recently did the course and I can only say good things about it.

Cracking the Perimeter is a journey of practical hacking combined with imaginative thinking allowing you to perform complex hacks in order to, yes penetrate / crack the perimeter.

Even within the Web Application Security part I learned something new and during the rest of the course I learned a lot about shellcode, overflows, and everything else mentioned on their website which is a must to know (in hardcore depth) if you want to pass the certification.

I used many hours within the labs where I made sure to learn everything I could and more about the course material.

I don't think anyone will regret doing this course, cause it's probably one of the hardest if not the hardest certification to achieve at the moment  

I start on the 29th, so I'll be sure to try to fill in the blanks as I go.  I haven't done OCSP, so taking on the OCSE was a little intimidating.  I finally decided that I had enough interest in the topic to invest the time and enough background to not be wasting my money so I bit the bullet and went for it.  I'll post back by mid September and let you know if I think it was a mistake.

If anyone can share some insight (besides what's in the syllabus), please do so.  I've already paid, so I'm stuck, but I would like to know about others' experiences. 

I made the decision after hearing the same thing as MaXe said echoed by everyone who had taken the course (I won't regret it).

@dynamik: The syllabus gives an idea of what to expect: http://www.offensive-security.com/documentation/cracking-the-perimiter-syllabus.pdf and you should be able to complete http://fc4.me/ as well. You can try out the FC4.me challenge without registering.

The skills I think that are required to do the course only would be:
- Web Application Security knowledge. (PHP, MySQL and Apache)
-- You should be able to understand how most if not all vulnerabilities within PHP works.
-- Here's a good "article" to read: http://forum.intern0t.net/offensive-guides-information/1382-finding-vulnerabilities-php-sirgod.html
-- Have a good understanding of how the HTTP protocol works.

- Stack Buffer Overflows with and without SEH overwrites
-- You'll learn a lot about overflows in the PWB course but there are other resources available too.
-- You should be able to understand this perfectly: http://forum.intern0t.net/cinema/video-21/
(Here's an article about this old exploit: http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit )

- Shellcode and Assembly Instructions / Opcodes
-- You should be able to write simple shellcode or be ready to become dedicated to write your own shellcode.
-- If you're not a shellcode "writer" you should be ready to manually write it yourself.
(Metasploit can't always help you in cases where you must use advanced methods.)

- Generic knowledge about networks and other protocols
-- You should know how the TCP/IP (and UDP) protocols function though you don't have to be an engineer.
-- Have a basic understanding of spoofing and man-in-the-middle attacks.

Note: Knowing a scripting language such as Python, Perl or perhaps PHP (CLI) is a good idea too.

You should also have a lot of patience, the will to learn new topics (in-depth, don't avoid any of the exercises) and have a lot of time you can use in the labs to study the course material and the following exercises.

If you choose 30 days it may be some very intensive 30 days, and if you choose 60 days then you should be able to have spare time in between. (I did this course after work in case you wonder.)


About the examination, well I won't disclose too many details on that. But everything covered in the course is only the beginning and you should therefore dedicate a lot of time to learn Web Application Security and Software Exploitation / Security in-depth. (This includes self-written (custom) optimized shellcode and a lot more!)

One shouldn't be intimidated by these facts, because it is one of the greatest journeys I've ever taken and I believe it really is one of the toughest if not the toughest certification at this date. If you have this certification, then I know you're above average within IT-security / Hacking 


@former33t: I haven't done the PWB Course neither the OSCP examination, but it is possible to do and understand the CTP course if you have a good understanding about IT-security / Hacking. You won't regret this course ;-)

You will be find tomorrow in your challenge.

Yep... relax!    Let us now how it goes.  Excited for you.  It's quite an experience!

Thanks and good luck!

The CTP course will give you some ideas about Web Application Security in-depth and the examination will prove that point, but it does not cover everything there is and you should have a very good base either from another certification or by self-study.

I don't know of any certifications within Web App Sec that are worth doing but I'll be glad to hear of any  



Sounds good, but you should focus on learning more about Exploit Development then and of course Shellcoding even though most of this is covered within the course quite well (don't forget to use the forums too). I can't say that you'll know everything about exploit development after the CTP course, cause you won't but you'll have a better understanding especially if you've played with a few simple Stack Overflows in the past


Note: Nothing within the CTP course and the OSCE examination is impossible to do, but it is quite hard. (Especially the exam.)

@dynamik
Nothing related to this thread, but just wanted to tell you that if you ever start learning from shellcoder's handbook use an old distro for the first 4-5 chapters. Preferably Redhat Linux 8 and above.
The examples used in these chapters assume that you've absolutely no protection enabled in your system- NX bits, ASLR... Even Redhat Linux 9 uses ASLR, built in the kernel and can't be disabled, and so you won't be able to use it for a LOT of exploits.
Majority of these protections can be disabled in the current distributions but there are still hidden elements which prevent your code from working properly. I learned all of this the hard way

It's still fun to first test your code in an old distro and then try to make it work in the newer ones